Win32.Mugly.A, Worm.Win32.Wurmark.a, W32/[email protected]
Email-Worm.Win32.Wurmark.d, [email protected]
, [email protected]
Category: Computer Worm
02 Dec 2004
This worm is an email worm that utilizes its own Simple Mail Transfer Protocol or SMTP engine to propagate its code. It sends its code as an attachment to email addresses it has collected from the infected computer system. The [email protected]
malware is also known to drop and execute a variant of the W32.Spybot.Worm and will try to open up a back door in the affected machine.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
is a mass mailing memory resident worm that arrives on the infected machine as an email attachment. When it executes in the machine, it will drop a copy of itself as a .TMP file and will also drop several other files. Among the files dropped by the malware is a ZIP file which is the worm’s compressed copy, an EXE file which is a copy of the W32.SdBot.Worm, a JPG file that is not malicious and 2 DLLs – one is its SMTP mailing engine and the other one is a typical archive engine. It will likewise drop a SYS file which is an unpacker component that will be used by the worm for registering the SVK Protector. This SVK Protector is used by the worm for unpacking one of its several dropped files that is packed using SVKP.
This mass mailing worm also create registry entries to allow its dropped EXE file to run during startup. This file will create a service. The worm will then register its SMTP engine by creating more registry entries so that it can carry out mass mailing. The [email protected]
worm will try to locate target email recipients from files that have the extensions asp, adb, doc, dbx, html, htm, sht, php, txt, tbb and wab. It will however avoid sending messages to email addresses containing security related strings. The worm is also known to exploit the Windows LSASS and RPC DCOM vulnerabilities. It also connects to a predefined server and opens up arbitrary ports to wait for instructions from its remote author. When executed in the machine, this worm will display its dropped JPG file which is a picture of a man with a contorted face.